Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #8409
| Path | csiph.com!feeder.erje.net!2.us.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!newsfeed.straub-nv.de!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod |
|---|---|
| From | Julien Cristau <jcristau@debian.org> |
| Newsgroups | linux.debian.maint.python |
| Subject | Re: CPython hash randomization makes some Python packages unreproducible |
| Date | Sat, 09 Apr 2016 20:20:02 +0200 |
| Message-ID | <rm5Ee-LN-5@gated-at.bofh.it> (permalink) |
| References | <rm4RQ-8vg-11@gated-at.bofh.it> |
| X-Original-To | Cara <ceridwen.mailing.lists@gmail.com> |
| X-Mailbox-Line | From debian-python-request@lists.debian.org Sat Apr 9 18:12:03 2016 |
| Old-Return-Path | <julien@cristau.org> |
| X-Amavis-Spam-Status | No, score=-7.895 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| Content-Disposition | inline |
| X-Operating-System | Linux 4.4.0-1-amd64 x86_64 |
| User-Agent | Mutt/1.5.24 (2015-08-30) |
| X-Mailing-List | <debian-python@lists.debian.org> archive/latest/13736 |
| List-ID | <debian-python.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-python/> |
| List-Archive | https://lists.debian.org/msgid-search/20160409181140.GD2889@betterave.cristau.org |
| Approved | robomod@news.nic.it |
| Lines | 20 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | debian-python@lists.debian.org |
| X-Original-Date | Sat, 9 Apr 2016 20:11:40 +0200 |
| X-Original-Message-ID | <20160409181140.GD2889@betterave.cristau.org> |
| X-Original-References | <1460222739.5012.44.camel@gmail.com> |
| Xref | csiph.com linux.debian.maint.python:8409 |
Show key headers only | View raw
On Sat, Apr 9, 2016 at 13:25:39 -0400, Cara wrote: > I think a better solution is disabling hash randomization by setting > PYTHONHASHSEED=0 when building Python packages with CPython for Debian, > probably somewhere in dh-python. Note that this isn't necessary for > PyPy, which doesn't have hash randomization[7]. Hash randomization was > implemented to prevent, "[H]ash collisions [being] exploited to DoS a > web framework that automatically parses input forms into > dictionaries"[8]. This shouldn't be an issue at build-time, as any > time CPython is run to read in the files written during the build, hash > randomization will be enabled again. > FWIW I think that's a bad idea. A number of packages run their test suite at build time, and running the tests with hash randomization enabled seems to me like something we shouldn't give up. Couldn't packages where the binary packages contents depend on the hash seed just set one themselves? Cheers, Julien
Back to linux.debian.maint.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
CPython hash randomization makes some Python packages unreproducible Cara <ceridwen.mailing.lists@gmail.com> - 2016-04-09 19:30 +0200
Re: CPython hash randomization makes some Python packages unreproducible Julien Cristau <jcristau@debian.org> - 2016-04-09 20:20 +0200
Re: CPython hash randomization makes some Python packages unreproducible Barry Warsaw <barry@debian.org> - 2016-04-11 20:20 +0200
csiph-web